Blame SOURCES/README.FIPS

e4b8d1
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
e4b8d1
=================================================================
e4b8d1
e4b8d1
This package contains libraries which comprise the FIPS 140-2
e4b8d1
Red Hat Enterprise Linux - OPENSSL Module.
e4b8d1
e4b8d1
The module files
e4b8d1
================
e4b8d1
/usr/lib[64]/libcrypto.so.1.1.0
e4b8d1
/usr/lib[64]/libssl.so.1.1.0
e4b8d1
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
e4b8d1
/usr/lib[64]/.libssl.so.1.1.0.hmac
e4b8d1
e4b8d1
Dependencies
e4b8d1
============
e4b8d1
e4b8d1
The approved mode of operation requires kernel with /dev/urandom RNG running
e4b8d1
with properties as defined in the security policy of the module. This is
e4b8d1
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
e4b8d1
Crytographic Module.
e4b8d1
e4b8d1
Installation
e4b8d1
============
e4b8d1
e4b8d1
The RPM package of the module can be installed by standard tools recommended
e4b8d1
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
e4b8d1
rpm, RHN remote management tool).
e4b8d1
e4b8d1
The RPM package dracut-fips must be installed for the approved mode of
e4b8d1
operation.
e4b8d1
e4b8d1
Usage and API
e4b8d1
=============
e4b8d1
e4b8d1
The module respects kernel command line FIPS setting. If the kernel command
e4b8d1
line contains option fips=1 the module will initialize in the FIPS approved
e4b8d1
mode of operation automatically. To allow for the automatic initialization the
e4b8d1
application using the module has to call one of the following API calls:
e4b8d1
e4b8d1
- void OPENSSL_init_library(void) - this will do only a basic initialization
e4b8d1
of the library and does initialization of the FIPS approved mode without setting
e4b8d1
up EVP API with supported algorithms.
e4b8d1
e4b8d1
- void OPENSSL_add_all_algorithms(void) - this API function calls
e4b8d1
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
e4b8d1
in the approved mode 
e4b8d1
e4b8d1
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
e4b8d1
adds algorithms which are necessary for TLS protocol support and initializes
e4b8d1
the SSL library.
e4b8d1
e4b8d1
To explicitely put the library to the approved mode the application can call
e4b8d1
the following function:
e4b8d1
e4b8d1
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
e4b8d1
the library from the non-approved to the approved mode. If any of the selftests
e4b8d1
and integrity verification tests fail, the library is put into the error state
e4b8d1
and 0 is returned. If they succeed the return value is 1.
e4b8d1
e4b8d1
To query the module whether it is in the approved mode or not:
e4b8d1
e4b8d1
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
e4b8d1
0 otherwise.
e4b8d1
e4b8d1
To query whether the module is in the error state:
e4b8d1
e4b8d1
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
e4b8d1
state, 0 otherwise.
e4b8d1
e4b8d1
To zeroize the FIPS RNG key and internal state the application calls:
e4b8d1
e4b8d1
- void RAND_cleanup(void)